Employees of Failed Startups Are at Special Risk of Stolen Personal Data Through Old Google Logins (techcrunch.com) 7
Hackers could steal sensitive personal data from former startup employees by exploiting abandoned company domains and Google login systems, security researcher Dylan Ayrey revealed at ShmooCon conference. The vulnerability particularly affects startups that relied on "Sign in with Google" features for their business software.
Ayrey, CEO of Truffle Security, demonstrated the flaw by purchasing one failed startup's domain and accessing ChatGPT, Slack, Notion, Zoom and an HR system containing Social Security numbers. His research found 116,000 website domains from failed tech startups currently available for sale. While Google offers preventive measures through its OAuth "sub-identifier" system, some providers avoid it due to reliability concerns - which Google disputes. The company initially dismissed Ayrey's finding as a fraud issue before reversing course and awarding him a $1,337 bounty. Google has since updated its documentation but hasn't implemented a technical fix, TechCrunch reports.
Ayrey, CEO of Truffle Security, demonstrated the flaw by purchasing one failed startup's domain and accessing ChatGPT, Slack, Notion, Zoom and an HR system containing Social Security numbers. His research found 116,000 website domains from failed tech startups currently available for sale. While Google offers preventive measures through its OAuth "sub-identifier" system, some providers avoid it due to reliability concerns - which Google disputes. The company initially dismissed Ayrey's finding as a fraud issue before reversing course and awarding him a $1,337 bounty. Google has since updated its documentation but hasn't implemented a technical fix, TechCrunch reports.
and layed off staff is going to shuttering a compa (Score:2)
and layed off staff is going to do shuttering a company tasks for free?
Re: (Score:2)
laid off
FFS
Had this happen to me (Score:4, Informative)
Years ago, when I let one of my personal domains go without first removing some of the links I had set up to Google.
I got it sorted out, but it was an eye opening experience about sanitizing your domain before you let it lapse.
Re: Had this happen to me (Score:2)
In the process of that now. It is an eye-opener to how many "tech" companies are full of completely clueless morons.
Do you know that about 30% of sites refuse to let you change your email address at all. Of them, about half make it virtually impossible to cancel the account.
In those ranks includes companies who should know better - including two big Linux vendors.
New primary key for Google Workspace instances? (Score:2)
Maybe Google needs a new primary key for Workspace instances. Say someone creates a domain+workspace on January 1, and then the domain is moved a few months later, and a workspace is created. Shouldn't foo.com be either foo.com with the active workspace (the one currently validated), or foo.com-1jan25 for previous ones? This will ensure there is an easy way to separate workspaces from Internet domains.